We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

A story of a company suffering a data breach tops newspaper headlines almost daily. So how can you stay out of the “fuego,” and stay compliant with California laws about your employees’ and customers’ data?

California’s Data Protection Act—“Army Of One”

In 2003 California passed the nation’s first data breach notification statute: the CDPA. Since then, over 30 states have enacted similar statutes, but California remains the national leader in privacy and data security standards.

The CDPA mandates that any business that “owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” And it requires a company to notify affected individuals of a data breach “in the most expedient time possible and without unreasonable delay.”

The CDPA takes a very broad view of personal information, defining the term to include:

An individual’s signature,

A person’s physical characteristics or description,

Information collected through an automated license plate recognition system, and

An individual’s employment and employment history.

The CDPA also requires that if a company experiences a data breach and decides to offer “identity theft prevention and mitigation services” to affected persons, then it must provide these services to affected persons for at least 12 months and at no cost. Additionally, unlike many other state laws about data breaches, the CDPA requires a company affected by a data breach to submit a sample of the data breach notification letter to the California Attorney General.

“Vultures” Go Phishing At Sprouts

What’s Phishing? In a phishing scam, a fraudulent email message appears to be legitimate, and often directs one to a spoofed website in order to dupe the recipient into divulging private personal information. The perpetrators then use this information to commit identity theft.

In March 2016, a Sprouts employee received an email purportedly from a Sprouts senior executive, asking for the 2015 W-2 statements of all Sprouts employees (which contain social security numbers). In reality, the email was sent by a third-party and was a phishing scam.

When the Sprouts employee received the phishing email, the W-2 forms of thousands of current and former employees were compiled and sent to the third-party. Sprouts later realized the error and notified the affected individuals of the data breach.

Shortly afterwards, a former Sprouts employee filed a class action lawsuit against the company, alleging violations of the CDPA and the California Unfair Competition law. The suit alleges essentially that the employer should have had procedures and policies in place to protect employee information from a phishing attack because such attacks are commonplace in the information age. A First Amended Complaint was filed on May 25, 2016, and Sprouts has not yet filed its response.

Sprouts highlights that it is important for California employers to have a data protection and data breach notification plan. Such a plan is instrumental to head off attacks by hackers and bad actors seeking private employee data to commit identity theft.

“Anything But Me”—What’s An Employer To Do?

The California Attorney General has issued annual reports analyzing data breach notices and providing recommendations to companies and employers for implementing data breach plans, including recommending that companies and employers:

Implement the Center for Internet Security’s Critical Security Controls as the “minimum level of information security” if they handle personal data.

The Attorney General has stated that“[t]he failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

Implement “strong encryption” for personal information on laptops and other portable devices, and consider full encryption on desktop computers when not in use.

Encrypt digital personal information when moving or sending personal information out of their secure network.

Encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and make this option very prominent in their breach notices.

Make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information.

Provide training to employees and contractors on data security controls.

Compare jurisdictions: Employment & Labor: North America

In common with many in-house lawyers, I have limited access to (and a limited budget for) resources and rely on receiving know-how from friends and contacts in private practice. Lexology is great as it provides a daily email with the headlines in all the areas of law that I am interested in (which are all relevant to me, as I was able to choose which areas I was interested in at registration), with links to articles from a wide variety of sources.

I tend to scroll through the daily email when I am having my lunch, reading the headlines and descriptions of the articles, and click on any items that are of interest to me - that way, I feel like I am kept 'in the loop' with legal developments.

In addition to the daily email, I find the articles themselves very helpful - they set out the legal principle but most importantly, they 'boil it down' to the practical implications. When I am doing legal research, I also find the archive search function very helpful.

I have recommended the service to quite a few friends who have also found it very helpful."